Cyber Risk News
The United States has withdrawn an extradition request for an Irish hacker convicted of breaking into virtual wallets to steal millions of dollars in cryptocurrency.
Conor Freeman was identified by US Homeland Security as one of at least five co-conspirators involved in a string of digital thefts that robbed multiple victims of their life savings in 2018.
Freeman was arrested at his Dublin home in May 2019 on a warrant issued by US authorities. Following his arrest, the hacker handed over stolen Bitcoin worth $2,187,977 to Gardaí.
Freeman, of Dun Laoghaire, pleaded guilty to stealing cryptocurrency, dishonestly operating a computer to make a gain, and knowingly engaging in the possession of the proceeds of crime. In November 2020, the 21-year-old was sentenced to three months in prison minus one month served in custody by Judge Martin Nolan in Dublin Circuit Criminal Court.
The US had asked Freeman to be surrendered and extradited to the United States to face charges of one count of conspiracy to commit wire fraud, four counts of aiding and abetting wire fraud, and four counts of aiding and abetting aggravated identity theft.
US authorities alleged that Freeman was a member of an organized online criminal gang called The Community that conspired to steal from targets they picked out on social media. The gang used SIM-swapping to gain control of a victim's phone number, leveraging it to break into their virtual wallets.
A member of The Community, arrested in Michigan in May 2018, gave US authorities access to his computers. The member's online chat records revealed an individual calling himself Conor was involved in the thefts.
IP addresses used by this Conor were linked to an Irish mobile phone and residential internet service providers used by Conor Freeman.
The High Court heard this morning that following his conviction in Ireland, the United States was no longer seeking to prosecute Freeman, who had no prior convictions.
Had Freeman been convicted in the US on all counts, the Dubliner could have been sentenced to a maximum of 108 years behind bars.
EEMA, the leading independent European think tank focused on identity, privacy and trust, has announced the appointment of Steve Pannifer to its board of management. Pannifer, who is chief operations officer at Consult Hyperion, is renowned for his expertise in the field of digital identity.
Joining Consult Hyperion back in 1999, Pannifer has worked on numerous identity and payments initiatives for card schemes, banks and governments globally. He has also played a major role within the EEMA community, including as an advisory board member on the Horizon 2020 project. Additionally, he has chaired panel sessions with the ENISA and EEMA board management members Kim Cameron and Dave Birch during the EEMA Annual Conference in June 2020 as well as in EEMA’s ISSE 2020 webinar The European Single Identity System in November 2020.
Pannifer joins a host of big names in the field of identity and security who are part of the EEMA board of management. These include Hans Graux, partner at law firm Timelex, who was appointed in June last year.
Commenting on his appointment to the board, Pannifer said: “Through my work at Consult Hyperion I am fortunate to be involved in many interesting developments around the world, especially in identity and payments. My hope is that this will enable me to bring ideas and connections that will help to shape and guide EEMA’s future activities.
“EEMA presents a fantastic way to connect into the many digital identity and related developments across Europe and beyond. The combination of conferences, fireside sessions and projects is unique. As well as meeting people EEMA offers the chance to work with those people on forward looking projects.”
Jon Shamah, chair of EEMA, stated: “I am delighted to welcome Steve to the EEMA board of management. He is very well respected in the field of digital identity and has long been a generous contributor to our community, sharing his wealth of experience and expertise.”
Brussels-based EEMA provides events, projects, collaboration, education, engagement, communication, participation and networking for companies, the public sector and individuals as part of an effort to enable the building of enduring and mutually beneficial working relationships.
An American health insurer has agreed to pay $5.1m to the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
Excellus is a New York–based health services corporation that provides health insurance coverage to over 1.5 million people in upstate and western New York.
A breach report filed by Excellus on September 9, 2015, stated that cyber-attackers had gained unauthorized access to the company's information technology systems.
The breach began on or before December 23, 2013, and dragged on until May 11, 2015. After gaining entry to the company's systems, malicious hackers installed malware and conducted reconnaissance activities that ultimately resulted in the disclosure of protected health information (PHI) of more than 9.3 million individuals.
Information exposed in the attack included names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information.
Plans affected by the breach were BlueCard Members; BlueCross BlueShield of Central New York; BlueCross and BlueShield of the Rochester area; BlueCross BlueShield of Utica-Watertown; and Excellus BlueCross BlueShield.
OCR’s investigation into the security incident found potential violations of the HIPAA rules, including failures to implement risk management, information system activity review, and access controls and failure to conduct an enterprise-wide risk analysis.
“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries,” said OCR director Roger Severino.
“We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”
In addition to paying a sizable monetary settlement, Excellus has agreed to undertake a corrective action plan that includes two years of monitoring.
The United States National Security Agency has announced the appointment of Roy Joyce as the new leader of its Cybersecurity Directorate.
Joyce will take over from Anne Neuberger, who was first to lead the NSA's Cybersecurity Directorate when it was established in October 2019.
Neuberger was recently appointed Deputy National Security Advisor for Cyber and Emerging Technology for the National Security Council (NSC) by the incoming Biden administration.
Joyce has worked in NSA’s Cybersecurity and Signals Intelligence missions since 1989. Currently, he is serving as the NSA's special liaison officer at the US Embassy in London. Prior to that he worked as a senior advisor for cybersecurity strategy to the NSA director.
In 2018 Joyce won a place on the Federal 100 list. At the time of his win, Joyce was a special assistant to the president and cybersecurity coordinator in the NSC for the Trump administration.
His role at the White House was to lead the development and implementation of national and international cybersecurity strategy and policy for the US, ensuring that the federal government was effectively partnering with the private sector, nongovernmental organizations, other branches and levels of government, and other nations. Joyce also served as deputy homeland security advisor and acting homeland security advisor.
From 2013 to 2017, Rob served as the chief of Tailored Access Operations (TAO), the NSA’s mission element that provided tools and expertise in computer network exploitation to deliver foreign intelligence. Prior to being named chief, he served as the deputy director of the Information Assurance Directorate (IAD) at the NSA, where he led efforts to harden, protect, and defend the nation’s most critical national security systems and improve cybersecurity for the nation.
Joyce has also spoken at major tech events, including the 2019 edition of the RSA conference, where he presented sessions on the weaponization of the internet and reverse engineering.
Outside of cybersecurity, Joyce is known for planning elaborate computerized light displays set to music over the holiday period. His 2020 festive efforts, titled "Notre Dame" and inspired by college football, were so impressive that NBC Sports shared a video on Twitter of the display in action.
The UK’s Ministry of Defense (MoD) experienced an 18% rise in personal data loss incidents in the financial year 2019/20, according to official figures analyzed by the Parliament Street Think Tank.
The UK government’s defense department revealed there were 546 reported incidents of personal data loss during the last financial year, up from 463 in 2018/19. Seven of the incidents were reported to the Information Commissioner’s Office (ICO) owing to their serious nature.
The vast majority (454) of incidents were recorded under the category of unauthorized disclosure. A further 49 were classified under loss of inadequately protected electronic equipment, devices or paper documents from secured government premises, with another 19 reported from outside of government premises.
Of the seven most serious incidents reported to the ICO, one involved a sub-contractor incorrectly disposing of MoD originated material in July 2019, which led to the personnel and health data of two former employees being accidently disclosed. Another occurred when a recorded delivery package containing the claims for forms of five individuals was lost in transit between two stations in February 2020. A third example revolved around a whistleblowing report that had not been properly anonymized.
Commenting on the figures, Tim Sadler, CEO at Tessian, said: “Time and time again we see how simple incidents of human error can compromise data security and damage reputation. The thing is that mistakes are always going to happen. So, as organizations give their staff more data to handle and make employees responsible for the safety of more sensitive information, they must find ways to better secure their people.
“Education on safe data practices is a good first step, but business leaders should consider how technology can provide another layer of protection and help people to make smarter security decisions, in order to stop mistakes turning into breaches.”
The data is likely to add to fears over the vulnerability of public sector organizations to data breaches, particularly since the shift to remote working during COVID-19.
In December, Parliament Street reported that the Ministry of Justice (MoJ) had suffered 17 serious data breaches during the last financial year.
Multinational technology company Thales and global provider of engineered electronics for performance critical applications TT Electronics have announced a partnership to enable the development of operational technology cybersecurity initiatives and research.
These programs will be delivered out of the National Digital Exploitation Center (NDEC) in South Wales, which offers cyber-skills and knowledge to the region. The partnership brings together Thales’ expertise in securing critical systems with TT Electronics’ innovative approach to electronics manufacturing for high-reliability markets.
“Thales and TT Electronics have very complementary and synergistic technologies,” said Perry Duffill, VP/GM, TT Electronics Global Manufacturing Solutions. “This collaboration enables TT to provide an additional level of security assurance for our aerospace and defense, medical and industrial customers who rely on us to manufacture highly complex systems for mission critical applications.”
Gareth Williams, VP, secure communications and information systems at Thales, added that the agreement is the next logical step in the long-standing relationship between the two companies.
“While we have previously worked together at the NDEC – with TT Electronics sitting on the steering group – this agreement enables a much more intimate level of collaboration between the two companies, with a clear goal of secure and resilient operational technology.”
The largest carding marketplace on the dark web has announced it is shutting down for good, although experts warned that this will have little impact on the overall cybercrime economy.
The administrator of the Joker’s Stash site posted the news on Friday, claiming that the marketplace would remain open until February 15 this year before they go on a “well-deserved retirement.”
Experts at threat intelligence firm Gemini Advisory speculated that the announcement may be linked to October news posted by “JokerStash” that the site had recently been disrupted after they had to spend over a week in hospital with COVID-19.
They also questioned whether the recent spike in the value of Bitcoin had made the site admin now rich enough to retire.
Having been in operation since 2014, Joker’s Stash added 40 million stolen records and generated an estimated $1bn in revenue. However, the site apparently suffered a decline in the volume and quality of cards it was able to offer over the past six months.
“Most other top-tier carding marketplaces actually increased their posted data during this time. However, Joker’s Stash has received numerous user complaints alleging that card data validity is low, which even prompted the administrator to upload proof of validity through a card-testing service,” noted Gemini Advisory.
“Additionally, JokerStash’s tactics, techniques and procedures (TTPs) involved advertising in advance and then posting high-profile major breaches. The threat actor leveraged media coverage of these breaches to boast about their ability to compromise even major corporations. Most dark web marketplaces eschew such TTPs because they attract undue attention from security researchers and law enforcement; JokerStash actually celebrated such attention.”
In a sign of the adaptability of the cybercrime underground, it is predicted that JokerStash’s retirement won’t have a significant impact on the industry.
Threat actors tend to split the sale of data across multiple marketplaces anyway, so they’ll simply pivot to other sites in the future, argued Gemini Advisory.
The Scottish Environment Protection Agency (SEPA) has warned that it could take a “significant period” of time before systems and services are fully restored after it was hit by ransomware on Christmas Eve.
In a lengthy update late last week, the agency claimed that “a number” of its IT systems will remain “badly affected for some time,” and in some cases will need to be replaced completely.
“The agency confirmed that email, staff schedules, a number of specialist reporting tools, systems and databases remain unavailable with the potential for access to a series of systems and tools to be unavailable for a protracted period,” it continued.
One of these systems is a service for online reporting and enquiries about pollution. Although now restored, any information submitted to the service during the early days of the attack is not accessible.
On the plus side, SEPA said that its main regulatory, monitoring, flood forecasting and warning services continue to operate. Contact center and online self-help services are being slowly restored, including SEPA’s Floodline, 24-hour pollution hotline and environmental event reporting.
However, attackers also stole 1.2GB of data from the agency including information on procurement, commercial projects and SEPA staff, as well as its corporate plans, priorities and change programs. Some, but not all, is thought to have been publicly available.
“Whilst the actions of serious and organized criminals means that for the moment we’ve lost access to our systems and had information stolen, what we’ve not lost is the expertise of over 1200 staff who day in, day out work tirelessly to protect Scotland’s environment,” said SEPA CEO Terry A’Hearn.
“Sadly we’re not the first and won’t be the last national organization targeted by likely international criminals. Cybercrime is a growing trend. Our focus is on supporting our people, our partners, protecting Scotland’s environment and, in time, following a review, sharing any learnings with wider public, private and voluntary sector partners.”
Official COVID-19 vaccine data stolen and leaked online by threat actors had been changed prior to publication in what could be a deliberate attempt to sow disinformation, a medical regulator has claimed.
The European Medicines Agency (EMA) first revealed the data breach back in December. Although at the time it refused to clarify what was stolen, German biotechnology company BioNTech revealed that it was one of the firms affected.
“Some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed,” it said at the time.
Last week the EMA claimed some of the stolen data was released online by the attackers, although it was unclear what their motives were.
However, in an update on Friday, the agency indicated that the end goal may have been to spread fake news.
“The ongoing investigation of the cyber-attack on EMA revealed that some of the unlawfully accessed documents related to COVID-19 medicines and vaccines have been leaked on the internet,” it noted.
“This included internal/confidential email correspondence dating from November, relating to evaluation processes for COVID-19 vaccines. Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines.”
Attempts to manipulate public perception of events could indicate the hand of state-sponsored threat actors. Both Russia and China have developed rival vaccines to the Pfizer/BioNTech effort, and are looking to build their soft power by striking deals to supply other countries in a “vaccine diplomacy” push.
Anything that casts doubt on the efficacy of the Pfizer jab could therefore work in their favor. Alternatively, it may simply be the work of hacktivists appealing to a growing anti-vaxxer movement.
For its part, the EMA sought to reassure the public in its statement on the matter.
“Amid the high infection rate in the EU, there is an urgent public health need to make vaccines available to EU citizens as soon as possible,” it said.
“Despite this urgency, there has always been consensus across the EU not to compromise the high quality standards and to base any recommendation on the strength of the scientific evidence on a vaccine’s safety, quality and efficacy, and nothing else.”
A man from Florida has admitted cyberstalking a woman who survived a violent attack in her childhood that left another young girl dead.
Alvin Willie George of Cross City pleaded guilty to two counts of cyberstalking related to the online harassment of the survivor and her sisters.
According to court records, the victim was in a Texas bedroom with another girl in December 1999 when an assailant entered and attacked the two friends. Both girls had their throats slit.
One girl died from the attack, while her friend survived. The perpetrator of this vicious assault was later caught and convicted.
George, who has no connection to the surviving victim or her family, began harassing the victim and her family 17 years after the attack took place.
In or around November 2016, George started researching the deadly crime on the internet. The 25-year-old then created various Facebook accounts that he used to send harassing messages to the victim and her sisters, all of whom live in Idaho. In the messages, George threatened to rape and kill the women.
The case was investigated by the Federal Bureau of Investigation and the Boise Police Department.
A federal grand jury in Boise indicted George on December 11, 2019. On Thursday, the US Attorney's Office in Boise, Idaho, announced George's guilty plea.
Sentencing is scheduled to take place on April 8, 2021, before US District Judge B. Lynn Winmill at the federal courthouse in Boise.
In Idaho, the crime of cyberstalking is punishable by up to five years in prison, a maximum fine of $250,000, and a supervised release period of up to three years, per charge.
According to the Stalking Prevention, Awareness and Resource Center, an estimated 6 to 7.5 million people are stalked annually in the United States.
The majority of stalking victims are stalked by someone they know; just one in five stalking victims are stalked by a stranger.
A quarter of stalking victims report being stalked through the use of some form of technology such as e-mail or instant messaging. While 10% of victims report being monitored with global positioning systems, 8% report being monitored through video or digital cameras, or listening devices.
The executed MOU creates a cooperative agreement between the two parties to partner in the furthering of their missions and objectives around the adoption, use, and expansion of CMMC-based cybersecurity practices for the US Department of Defense (DoD) global Defense Industrial Base (DIB) contractor community and the information and communication technology community.
Objectives of the new partnership include a desire to aid efforts to advance the goals for improving the cyber and supply-chain security and resilience of the DIB network of contractors, suppliers, and vendors.
Among the specific actions planned is the co-development of CMMC advisory services, cyber education and training programs to increase cyber adoption, accelerating CMMC certification, and improving cyber protection and resilience.
The partners also want to expand and drive diversity across the cybersecurity workforce, which in 2019 was 80% male.
“The WiCyS Mid-Atlantic is excited to team with the CMMC COE in efforts to enhance the overall security of the defense industrial base supply chain," said Diane Janosek, founder and senior advisor of Women in Cybersecurity Mid-Atlantic.
"This partnership clearly demonstrates the CMMC COE’s commitment to a diverse cybersecurity workforce, which is key to defending the nation’s cyber critical infrastructure. Creative and inclusive teaming is essential to the CMMC’s success."
Further actions planned by the partnership are the co-sponsorship of symposiums, training programs, and podcasts, leveraging their combined cyber and IT expertise, and the hosting of regular working groups, along with additional partners, to allow collaboration and communication.
The establishment of an independent Industry Cyber Security Advisory Council is also planned, with peer organizations brought in to advise and educate leaders across government and industry on the effectiveness and continued evolution of CMMC.
“This is exciting opportunity for us,” said John Weiler, chairman of the board at CMMC Center of Excellence. “This new partnership will further help advance the goals and objectives for improving the supply chain security and resilience of the US Department of Defense.”
The UK government is investigating a technical issue that led to 150,000 arrest records' being accidentally wiped from nationwide police databases.
Over 150,000 fingerprint records, DNA records, and arrest history records were lost as a result of the glitch. One source told The Times that the error could potentially allow offenders to escape justice as biometric evidence captured from crime scenes will no longer be flagged on the Police National Computer (PNC).
The error also impacted Britain's visa system, causing the processing of applications to be suspended for two days.
Sources told The Times that the records were accidentally wiped during one of the weekly data expunging acts known as "weeding" sessions.
The newspaper reported that “crucial intelligence about suspects” had vanished as a result of the incident. However, the Home Office said that no records of criminals or dangerous persons had been deleted and that the lost data related to individuals who had been arrested and then released without charge.
UK Minister for Policing Kit Malthouse said officials were “working at pace” to attempt the recovery of the lost records.
He said: “A fast time review has identified the problem and corrected the process so it cannot happen again. The Home Office, NPCC [National Police Chiefs’ Council] and other law enforcement partners are working at pace to recover the data.
“While the loss relates to individuals who were arrested and then released with no further action, I have asked officials and the police to confirm their initial assessment that there is no threat to public safety. I will provide further updates as we conclude our work.”
Shadow Home Secretary Nick Thomas-Symonds said: “This is an extraordinarily serious security breach that presents huge dangers for public safety. The incompetence of this shambolic government cannot be allowed to put people at risk, let criminals go free and deny victims justice.”
The loss of the data follows the removal of 40,000 alerts regarding European criminals from the PNC with the UK's Brexit departure from the European Union.
The UK’s National Cyber Security Center (NCSC) has outlined the creation of a new protective domain name service (PDNS) solution in partnership with Nominet, the official registry for UK domain names.
The service, named PDNS Digital Roaming, is designed to enhance the security of public sector staff working from home as a result of the COVID-19 pandemic. The free at the point of use app will extend the protection offered by the original PDNS solution, which is delivered by Nominet, to remote networks.
PDNS has been in place since 2017, and helps keeps public sector organizations secure by hampering the use of DNS for malware distribution and operation. Last year, it was being used by over 760 public sector organizations, protecting an estimated 2.8 million staff.
PDNS Digital Roaming enables these protections to extend to employees working from home by detecting when a device is outside of its enterprise network and redirecting DNS traffic to PDNS, using the encrypted DNS over HTTPS (DoH) protocol. This applies from whichever network employees connect to the internet from.
David Carroll, MD of Nominet’s cybersecurity arm commented: “The NCSC reacted quickly to the challenges that coronavirus presented to the cyber-defense of the nation. For example, elements of the Active Cyber Defense program – including the PDNS, which is delivered by Nominet on behalf of the NCSC – were made available to many more organizations in the past year, including over 200 frontline public health bodies.
“Without a fixed IP address, staff needed another option for accessing the protections of the PDNS – PDNS Digital Roaming has been the answer. This app was launched in September to all those currently eligible to use the PDNS. By installing it on their device, staff can ensure that their DNS traffic is being directed to the PDNS and is thus protected by this innovative service.
“Keeping critical services secure has never been so important. As we position our country as a global digital leader for the future, it will be important to devise solutions that are adaptable as well as highly resilient and secure.”
At the end of last year, Infosecurity spoke to Russell Haworth, CEO of Nominet, about how the company is combatting the rise in malicious domain names since the start of the COVID-19 pandemic.
Artificial intelligence (AI) and quantum are set to be the next major technology disruptors and will have a profound impact on the cybersecurity sector, according to speakers in a session at the Consumer Electronics Show (CES) 2021.
Advancements in these areas are likely to lead to new opportunities for cyber-criminals to leverage attacks, but conversely, can also enable the development of stronger cybersecurity defenses.
Vikram Sharma, founder and CEO at QuintessenceLabs, explained that these technologies form part of the predicted “fourth industrial revolution,“ which will radically enhance our technological capabilities. “The fourth industrial revolution is really a confluence of a number of technologies, so alongside AI, 5G, robotics, 3D printing and IoT, quantum is one of these very important technologies of our time.”
He said it is critical organizations now look at how they can leverage quantum for cybersecurity purposes. This is because of its potential to provide a “robust” protection of data as well as to counter the threats this tech could pose in the hands of attackers. Sharma added: “The general consensus is we may see an adversary who has a quantum computer at the right scale to impact cybersecurity within the next five to 10 years.”
Similarly, it is critical that proactive steps are taken to tackle the use of AI by threat actors to launch attacks. Pete Tortorici, director, Joint Information Warfare at the Department of Defense (DOD) Joint Artificial Intelligence Center, outlined a number of considerations in this regard: “How are we going to understand what network incident detection is going to look like in the world of AI? How do we leverage AI to secure network capabilities? How do we build robust analytics to let us know when things have happened inside of a network?”
For organizations to successfully implement AI solutions, underlying issues first need to be resolved. Tortorici said: “A lot of organizations haven’t solved the data problem that underlies being able to get after an AI solution.” He added this can be as simple as collecting and keeping the data needed to feed their algorithm.
Another issue is meeting the demand for AI specialists and data engineers from a security standpoint. Tortorici commented: “I wonder if we have the required incentives, both educational and professional, to grow this skillset over the next several decades.” He added that at the Department of Defense there is now a strong emphasis on “cultivating and retaining talent” in this area.
In regard to quantum, Sharma said that his company has observed organizations becoming increasingly aware of the transformative potential of quantum, and “a number of them have started the process of building internal subject matter expertise within their engineering and development groups around quantum.”
However, much more focus needs to be placed on its potential impact on cybersecurity. Part of this is ensuring organizations are better educated on how to adapt their security posture. Sharma added: “While awareness of quantum is developing and generally people have some conception that there is a risk to cybersecurity, there isn’t a proper understanding of what this means in terms of implications for the cyber-technologies that are deployed today.”
It is therefore critical that organizations prepare for the expected growth in AI and quantum, both to improve their productivity and enhance their cybersecurity. Two key factors in ensuring this is the case that were emphasized by Sharma and Tortorici were general awareness and developing the right skillsets.
The US National Security Agency (NSA) has warned enterprises that adoption of encrypted DNS services can lead to a false sense of security and even disrupt their own DNS-monitoring tools.
DNS over HTTPS (DoH) has become an increasingly popular way to improve privacy and integrity by protecting DNS traffic between a client and a DNS resolver from unauthorized access. This can help to prevent eavesdropping and manipulation of DNS traffic.
However, although such services are useful for home and mobile users and networks not using DNS controls, they are not recommended for most enterprises, the US security agency claimed in a new report.
DoH is “not a panacea,” as it doesn’t guarantee that threat actors can’t see where a client is going on the web, said the NSA.
“DoH is specifically designed to encrypt only the DNS transaction between the client and resolver, not any other traffic that happens after the query is satisfied,” the report noted.
“While this allows clients to privately obtain an IP address based on a domain name, there are other ways cyber-threat actors can determine information without reading the DNS request directly, such as monitoring the connection a client makes after the DNS request.”
Moreover, DoH can actually impair network monitoring tools designed to spot suspicious activity in DNS traffic.
“DoH encrypts the DNS traffic, which prevents enterprises from monitoring DNS with these network-based tools unless they are breaking and inspecting TLS traffic. If DoH is used with the enterprise resolver, then inspection can still occur at the resolver or using resolver logs,” the report continued.
“However, if external DoH resolvers are not blocked and DoH is enabled on the user’s browser or OS to use a different resolver, there could be issues gaining visibility into that encrypted DNS traffic.”
Malware can also use DoH to hide its C&C communications traffic, the NSA warned.
The agency urged enterprises that use monitoring tools to avoid using DoH inside their networks.
Facebook is suing two European developers for allegedly violating its terms of service by scraping user data.
Legal action has been filed in Portugal by Facebook and Facebook Ireland against two individuals working for application/extension development company Oink and Stuff.
The firm claims its software products, available for Chrome, Firefox, Edge, Opera and Android, have over one million active users.
She highlighted four extensions, Web for Instagram plus DM, Blue Messenger, Emoji keyboard and Green Messenger, that contained code which Facebook claims are malicious and effectively act like spyware.
“When people installed these extensions on their browsers, they were installing concealed code designed to scrape their information from the Facebook website, but also information from the users’ browsers unrelated to Facebook — all without their knowledge,” argued Romero.
“If the user visited the Facebook website, the browser extensions were programmed to scrape their name, user ID, gender, relationship status, age group and other information related to their account. The defendants did not compromise Facebook’s security systems. Instead, they used the extensions on the users’ devices to collect information.”
Facebook is seeking a permanent injunction against the defendants, demanding they delete all Facebook data in their possession.
This is just one of many cases brought by the social network against third parties it accuses of impacting user privacy, a push that began in earnest following the Cambridge Analytica scandal.
In September 2019, the firm revealed it had filed suits against LionMobi and JediMobi, two companies that used apps to infect users’ devices with click injection fraud malware, South Korean data analytics firm Rankwave and Ukrainians Gleb Sluchevsky and Andrey Gorbachov, who used quiz apps to scrape user data.
An e-commerce “scam-as-a-service” operation tried-and-tested in Russia has expanded to multiple European countries in 2020, making cybercrime groups over $6.5m in the process, Group-IB has warned.
The Singapore-based cybersecurity company claimed in a new report that “Classiscam” first appeared in Russia in the summer of 2019, but soon migrated west and hit a peak of activity over 2020 as remote workers surged online to shop.
There are now at least 40 active groups using the scam packages to con internet users out of their hard-earned cash.
“In the summer of 2020 we took down 280 scam pages as part of the Classiscam scheme, and by December that number grew 10-fold and reached up to 3000 pages,” said Yaroslav Kargalev, deputy head of CERT-GIB.
“We see that Classiscammers are now actively migrating from Russia to Europe and other countries. It’s not the first time that Russia has served as a testing ground for cyber-criminals with global ambitions.”
The groups publish ads for popular products on marketplaces and classified websites, with prices marked down to spark interest from buyers. Consumer electronics such as cameras, game consoles, laptops and smartphones are often listed.
Once the buyer gets in touch, the scammer typically takes the conversation off the marketplace to WhatsApp or other messenger channels, using local phone numbers to add authenticity.
The fraudster then asks for the victim’s delivery and contact information and sends a phishing link mimicking the real marketplace, which takes the user to a fake payment page.
Telegram bots are used to generate the ready-to-use phishing pages, streamlining the process and lowering the bar to entry for non-techie cyber-criminals.
Cybercrime groups using the service typically include three types of operative: admins, workers and callers.
Admins are responsible for recruiting new members, creating the scam pages and taking action when a bank blocks the victim’s transaction. Workers communicate directly with victims, while callers pretend to be tech support specialists.
Group-IB estimated that the most active groups make as much as $522,000 per month.
“So far, the scam’s expansion in Europe is hindered by language barriers and difficulties with cashing our stolen money abroad,” said Dmitriy Tiunkin, head of Group-IB Digital Risk Protection Department, Europe.
“Once the scammers overcome these barriers, Classiscam will spread in the West. The downside of popularity is competition among scammers, who sometimes frame each other without knowing it.”
There is a high risk of disinformation campaigns designed to spread panic and fear about the COVID-19 crisis, according to IT firm Fujitsu. In particular, it expects social engineering attacks to focus on fuelling uncertainty and doubt surrounding the effectiveness of COVID-19 vaccines as they begin to be rolled out across the world.
The company said that both criminal gangs and nation state actors will focus on controversial aspects of vaccine programs, including mandatory vaccination, health passports, mass immunity testing and lockdowns in these campaigns. These will target both businesses and individuals through a range of attack vectors, with phishing the most prominent.
There has been a huge rise in phishing campaigns observed since the start of the pandemic last year, with cyber-villains frequently using COVID-19 topics as lures.
The most sophisticated of these attacks will sow division between opposing sides, leading to more polarization and mistrust of information sources. This has been evident during recent elections such as the Brexit referendum in 2016 and the US elections last year.
Fujitsu added that it is already seeing malicious actors leverage issues around personal liberty linked to the pandemic, such as restrictions on movements and requirements to wear a facemask.
Paul McEvatt, head of cybersecurity innovation at Fujitsu, commented: “Phishing is at the heart of these attacks – the targeting of individuals based on their beliefs, or their circumstances, to socially engineer them into a compromised situation. People are more likely to fall for a phish when related to a topic they believe in or identify with. Today, the coronavirus pandemic is a global issue and a highly-emotional one, too, especially since it involves personal liberties and factors such as restriction on movement. There has probably never been a bigger topic for a disinformation attack.”
Earlier today, the European Medicines Agency revealed that documents related to COVID-19 medicines and vaccines have been leaked online following a cyber-attack on the regulator in December.
A Kosovan hacker, granted compassionate release after being convicted of providing personally identifiable information of over 1,000 US government personnel to ISIS, has been charged with committing further crimes while in federal prison.
The US sentenced Ardit Ferizi to 20 years in prison in September 2016 after the hacker admitted accessing a protected computer without authorization and providing material support to a designated foreign terrorist organization.
In December 2020, Federal Judge Leonie Brinkema of the Eastern District of Virginia reduced Ferizi’s sentence to time served, plus 10 years of supervised release to be served in Kosovo after the 25-year-old submitted a handwritten motion stating that his obesity and asthma made him vulnerable to COVID-19.
According to a federal complaint filed against Ferizi and unsealed on January 12, Ferizi was awaiting deportation back to his native Kosovo when the FBI determined that he had committed multiple new federal offenses. At the time of the alleged offenses, Ferizi was incarcerated at the Federal Correctional Institute in Terre Haute, Indiana.
“We allege Ferizi provided access to personal information of US citizens, even as he was serving his prison sentence for providing similar information to ISIS,” said US Attorney David L. Anderson.
According to the FBI, in 2017 and 2018 Ferizi became involved in multiple fraudulent schemes while locked up in prison by coordinating with a family member who was operating Ferizi’s email accounts. At least one email account included large databases of stolen personally identifiable information, extensive lists of stolen email accounts, partial credit card numbers, passwords, and other confidential information, accumulated through Ferizi's criminal hacking activity.
"Based on an IP address resolving to Kosovo, login activity to Ferizi’s other e-mail accounts, and other investigative information, it was determined the family member downloaded the databases of stolen information to liquidate the proceeds of Ferizi’s previous criminal hacking activity," said the Department of Justice.
Ferizi and his family member are alleged to have used the electronic services of Google, PayPal, and Coinbase to carry out these new crimes.
Ferizi, known online as Th3Dir3ctorY, is charged with one count of aggravated identity theft and one count of wire fraud in violation. If convicted of both charges, he faces a maximum penalty of 22 years in prison and a fine of $250,000.
New analysis of the 2020 vulnerability and threat landscape has found that the total number of Common Vulnerabilities and Exposures (CVEs) reported last year was 6% higher than the total reported in 2019.
While the increase between 2019 and 2020 may seem slight, the team found that from 2015 to 2020, the number of CVEs reported rose 183%, from 6,487 to 18,358.
"For the last three years, we have seen over 16,000 CVEs reported annually—reflecting a new normal for vulnerability disclosures," noted researchers.
Among the 2020 vulnerabilities disclosed were 29 Tenable identified as net-new zero-day vulnerabilities. Of the 29 vulnerabilities, over 35% were browser-related vulnerabilities, while nearly 29% were within operating systems. Font libraries were also popular, accounting for nearly 15% of zero-day vulnerabilities.
Reviewing at which points in the year critical CVEs were reported, researchers uncovered what they termed a "CVE Season" that coincided with summertime.
"Summer 2020—from June to August—was particularly unique for both the sheer volume and number of critical CVE disclosures," noted researchers. "547 flaws were disclosed in the summer months, including major disclosures in F5, Palo Alto Networks, PulseSecure, vBulletin and more."
An analysis of the CVE data for breach trends found that from January through October 2020, 730 publicly disclosed events resulted in the exposure of over 22 billion records. Of the industries impacted by breaches, healthcare and education made up the largest share, accounting for 25% and 13% of the breaches.
Government and the technology industry were also popular targets, accounting for 12.5% and 15.5% of the breaches respectively.
Ransomware was found to be the most popular attack vector in 2020, being cited in 259 incidents. Email compromise was the cause of 105 breaches, while unsecured data led to 83 security incidents. For 179 data breaches, the root cause was unknown.
The coronavirus pandemic was used time and again by cyber-attackers to lure their victims. By the first two weeks of April, 41% of organizations had experienced at least one business-impacting cyber-attack resulting from COVID-19 malware or phishing schemes.